4.2.3 and warnings

README.md

@@ -10,7 +10,7 @@ Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0 - 02-23-2022 ](https://
 
 ## Join us
 
-On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+On our [Discord Server](https://discord.io/ansible-lockdownJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
 ## Caution(s)
 
@@ -124,6 +124,29 @@ default : ok=270 changed=23 unreachable=0 failed=0 s
 - reports - This is a protected branch for our scoring reports, no code should ever go here
 - all other branches** - Individual community member branches
 
+## Lifecycle of releases and branches
+
+While Remediate and Audit are managed individually some of the content is linked. Ther are occasions where both need updating or just one of them.
+
+As a general rule we try to abide to the following lifecycle process for branches and releases inclduing ansible-galaxy sync updates. Being community we do have direct customer requests
+and requirements will take priority in releases.
+
+- devel branch
+ - Staging area for bug fixes PRs and new benchmarks.
+
+ We aim to get the majority of PRs merged to devel in 2-4 weeks.
+
+- Main branch
+ - Merge of devel in to main.
+
+ This is dependant on the severity and impact of issues closed. Normally a release alignment every 8-12 weeks (sometimes much quicker)
+
+ - New benchmark version release.
+
+ Once a new benchmark has been released by the provider we aim to get to a new tagged release in 2-4 weeks
+
+ - This is also the where the releases are sourced and linked with ansible-galaxy.
+
 ## Community Contribution
 
 We encourage you (the community) to contribute to this role. Please read the rules below.
@@ -151,9 +174,16 @@ https://bugs.launchpad.net/cloud-init/+bug/1839899
 
 ## Support
 
-This is a community project at its core and will be managed as such.
+This is a community project at its core and will be managed as such. Please provide as much information as possible and utilise the community [Discord Server](https://discord.io/ansible-lockdown).
+
+Refer to linked below drop us a message for further information
+
+- [Lockdown Enterprise](https://www.lockdownenterprise.com)
+ - support for individual repository benchmarks
+ - advice on how to use and adopt and priority issue adoption
+- [Ansible Counselor](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor)
+ - support for all available repos and enhanced support around ansible usage
 
-If you would are interested in dedicated support to assist or provide bespoke setups
+Bespoke automation support - ansible and otrher products
 
-- [Ansible Counselor](https://www.mindpointgroup.com/products/ansible-counselor-on-demand-ansible-services-and-consulting/)
-- [Try us out](https://engage.mindpointgroup.com/try-ansible-counselor)
+- Please enquire for specific requirements

defaults/main.yml

@@ -36,10 +36,6 @@ benchmark: RHEL8-CIS
 # Whether to skip the reboot
 skip_reboot: true
 
-# default value will change to true but wont reboot if not enabled but will error
-change_requires_reboot: false
-
-
 #### Basic external goss audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####
 
@@ -570,6 +566,10 @@ rhel8cis_journald_runtimekeepfree: 100G
 # rhel8cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 rhel8cis_journald_maxfilesec: 1month
 
+# 4.2.3 logrotate configuration
+# change to true if you wish to change logrotate.d conf files
+allow_logrotate_conf_umask_updates: false
+
 ## Section5 vars
 
 rhel8cis_sshd:

tasks/main.yml

@@ -166,4 +166,10 @@
  when:
  - run_audit
  tags:
- - run_audit
+ - run_audit
+
+- name: Output Warning count and control IDs affected
+ debug:
+ msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
+ tags:
+ - always

tasks/post.yml

@@ -24,6 +24,14 @@
  when:
  - change_requires_reboot
  - skip_reboot
+
+ - name: "POST | Warning a reboot required but skip option set | warning count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'Reboot Required' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - change_requires_reboot
+ - skip_reboot
  tags:
  - grub
  - level1-server
@@ -36,3 +44,9 @@
  - rhel8cis_section4
  - rhel8cis_section5
  - rhel8cis_section6
+
+- name: If Warning count is 0 set fact
+ set_fact:
+ control_number: "Congratulation None Found"
+ when:
+ - warn_count == '0'

tasks/section_1/cis_1.1.2.x.yml

@@ -1,11 +1,30 @@
 ---
 
 - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition"
- debug:
- msg: "WARNING!! /tmp is not mounted on a separate partition"
+ block:
+ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent"
+ debug:
+ msg: "Warning!! /tmp is not mounted on a separate partition"
+ when:
+ - required_mount not in mount_names
+
+ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
+ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
+ debug:
+ msg: "Congratulations: {{ required_mount }} exists."
+ register: var_mount_present
+ when:
+ - required_mount in mount_names
+ vars:
+ required_mount: '/tmp'
  when:
  - rhel8cis_rule_1_1_2_1
- - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0
  tags:
  - level1-server
  - level1-workstation

tasks/section_1/cis_1.1.3.x.yml

@@ -4,12 +4,19 @@
  block:
  - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
  debug:
- msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
+ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
  register: var_mount_absent
  changed_when: var_mount_absent.skipped is undefined
  when:
  - required_mount not in mount_names
 
+ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
  - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
  debug:
  msg: "Congratulations: {{ required_mount }} exists."

tasks/section_1/cis_1.1.4.x.yml

@@ -5,12 +5,19 @@
  block:
  - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
  debug:
- msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
+ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
  register: var_tmp_mount_absent
  changed_when: var_tmp_mount_absent.skipped is undefined
  when:
  - required_mount not in mount_names
 
+ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
  - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
  debug:
  msg: "Congratulations: {{ required_mount }} exists."

tasks/section_1/cis_1.1.5.x.yml

@@ -4,11 +4,19 @@
  block:
  - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
  debug:
- msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
+ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
  register: var_log_mount_absent
  changed_when: var_log_mount_absent.skipped is undefined
  when:
  - required_mount not in mount_names
+
+ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
  - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
  debug:
  msg: "Congratulations: {{ required_mount }} exists."

tasks/section_1/cis_1.1.6.x.yml

@@ -4,11 +4,19 @@
  block:
  - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
  debug:
- msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
+ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
  register: var_log_audit_mount_absent
  changed_when: var_log_audit_mount_absent.skipped is undefined
  when:
  - required_mount not in mount_names
+
+ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
  - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
  debug:
  msg: "Congratulations: {{ required_mount }} exists."

tasks/section_1/cis_1.1.7.x.yml

@@ -4,11 +4,19 @@
  block:
  - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
  debug:
- msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
+ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
  register: home_mount_absent
  changed_when: home_mount_absent.skipped is undefined
  when:
  - required_mount not in mount_names
+
+ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - required_mount not in mount_names
+
  - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
  debug:
  msg: "Congratulations: {{ required_mount }} exists."

tasks/section_1/cis_1.2.x.yml

@@ -75,8 +75,13 @@
  - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
  debug:
  msg:
- - "Alert! Below are the configured repos. Please review and make sure all align with site policy"
+ - "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
  - "{{ dnf_configured.stdout_lines }}"
+
+ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + ['rule_1.2.4']"
+ warn_count: "{{ warn_count|int + 1 }}"
  when:
  - rhel8cis_rule_1_2_4
  tags:

tasks/section_1/cis_1.6.1.x.yml

@@ -94,8 +94,15 @@
 
  - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
  debug:
- msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}"
+ msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}"
  when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
+
+ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_1.6.1.6 ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0
+
  when:
  - rhel8cis_rule_1_6_1_6
  tags:

tasks/section_2/cis_2.4.yml

@@ -12,9 +12,14 @@
  - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
  debug:
  msg:
- - "Alert! Below are the list of services, both active and inactive"
+ - "Warning!! Below are the list of services, both active and inactive"
  - "Please review to make sure all are essential"
  - "{{ rhel8cis_2_4_services.stdout_lines }}"
+
+ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + ['rule_2.4']"
+ warn_count: "{{ warn_count|int + 1 }}"
  when:
  - rhel8cis_rule_2_4
  tags:

tasks/section_3/cis_3.4.1.x.yml

@@ -100,18 +100,23 @@
 
 - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone"
  block:
- - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
+ - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies"
  shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
  changed_when: false
  failed_when: false
  check_mode: no
  register: rhel8cis_3_4_1_6_interfacepolicy
 
- - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
+ - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and policies | Show the interface to policy"
  debug:
  msg:
- - "The items below are the policies tied to the interfaces, please correct as needed"
+ - "Warning!! The items below are the policies tied to the interfaces, please correct as needed"
  - "{{ rhel8cis_3_4_1_6_interfacepolicy.stdout_lines }}"
+
+ - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | warning count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_3.4.1.6' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
  when:
  - rhel8cis_firewall == "firewalld"
  - rhel8cis_rule_3_4_1_6

tasks/section_3/cis_3.4.2.x.yml

@@ -96,12 +96,20 @@
  - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables"
  debug:
  msg:
- - "Warning! You currently have no nft tables, please review your setup"
+ - "Warning!! You currently have no nft tables, please review your setup"
  - 'Use the command "nft create table inet <table name>" to create a new table'
  when:
  - rhel8cis_3_4_2_5_nft_tables.stdout | length == 0
  - not rhel8cis_nft_tables_autonewtable
 
+ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
+ when:
+ - rhel8cis_3_4_2_5_nft_tables.stdout | length == 0
+ - not rhel8cis_nft_tables_autonewtable
+
  - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed"
  command: nft create table inet "{{ rhel8cis_nft_tables_tablename }}"
  failed_when: no

tasks/section_4/cis_4.2.2.x.yml

@@ -85,7 +85,13 @@
  - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
  debug:
  msg:
- - "ALERT! The status of systemd-journald should be static and it is not. Please investigate"
+ - "Warning!! The status of systemd-journald should be static and it is not. Please investigate"
+ when: "'static' not in rhel8cis_4_2_2_2_status.stdout"
+
+ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
  when: "'static' not in rhel8cis_4_2_2_2_status.stdout"
  when:
  - rhel8cis_rule_4_2_2_2
@@ -191,9 +197,13 @@
  - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
  debug:
  msg:
- - "Alert! Below are the current default settings for journald, please confirm they align with your site policies"
- # - "{{ rhel8cis_4_2_2_7_override_settings.stdout_lines }}"
+ - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies"
  - "{{ (rhel8cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel8cis_4_2_2_7_override_settings.stdout_lines, rhel8cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
+
+ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count"
+ set_fact:
+ control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]"
+ warn_count: "{{ warn_count|int + 1 }}"
  when:
  - rhel8cis_rule_4_2_2_7
  tags: